Procedure checklist · Reg 17

Record keeping and confidentiality procedure checklist

All CQC-registered providers

Download the PDF

A printable version of this checklist, formatted to work through on paper or take into a team meeting. The disclaimer below applies to the PDF too.

Source anchors

How to use this checklist

Use this checklist to audit whether records explain what happened, who decided, why it was lawful and how confidential information was protected. It can be used monthly, after a records audit, after a confidentiality breach, after an incident linked to poor records, before governance review, or before an inspection-readiness review.

This checklist treats records as a safety and governance control. It checks whether the service can retrieve the right information, whether the record is good enough for continuity of care, and whether access and sharing are controlled.

For each row, record:

Every Part met or Not met item should create an action with an owner and due date.

The PDF is designed for printing, or for completing on screen with a PDF viewer's Fill & Sign, Markup or comment tools. Use those tools to tick boxes and type into the lines.

Service details

Field Local entry
Service name
Location
Date completed
Completed by
Registered Manager
Information Governance Lead
Clinical Lead or Care Lead
Period reviewed

1. Record system and ownership

Check Evidence to review Status Action owner Due date
Record systems and record locations are defined. System list, procedure, staff guidance.
Each record type has an owner and retention rule. Retention schedule, role list.
Staff know where each record should be made and stored. Staff interview, induction record.
Electronic systems are backed up or covered by continuity arrangements. Backup evidence, business continuity plan.
Paper records are stored securely and tracked where moved. Storage check, movement log.
Record audit cadence is defined and followed. Audit schedule, completed audit.

2. Record quality and contemporaneous entries

Check Evidence to review Status Action owner Due date
Records are accurate, complete, factual and attributable. Record sample.
Records are made at the time or as soon as reasonably possible. Timestamp sample, late-entry log.
Records show what happened, what was decided and why. Record sample, decision note.
Corrections and amendments preserve the audit trail. Correction sample, system audit log.
Late entries are clearly labelled with the reason for delay. Late-entry sample.
Vague or judgmental wording is challenged and corrected through supervision or audit. Audit findings, supervision note.

3. Consent, risk, incidents and safeguarding records

Check Evidence to review Status Action owner Due date
Consent and capacity decisions are recorded with reasoning. Consent or MCA sample.
Risk assessments and care plans are updated after change, incident or review. Risk assessment, care plan.
Incident, complaint and safeguarding records link to actions and learning. Incident or safeguarding sample.
Information shared for safeguarding or serious risk is recorded with rationale. Disclosure note, safeguarding record.
Duty-of-candour and notification evidence is linked where relevant. Candour record, CQC notification.
Record gaps are escalated where they affect safe care or governance. Escalation note, action log.

4. Confidentiality, access and sharing

Check Evidence to review Status Action owner Due date
Access permissions are role-based and approved. Access list, approval record.
Access is removed promptly when staff leave or change role. Leaver checklist, access review.
Staff do not use shared logins unless formally approved with controls. System settings, exception record.
Information sharing decisions are lawful, necessary and recorded. Data sharing sample, disclosure note.
Staff check recipient details and minimum necessary content before sending information. Communication audit, staff interview.
Privacy information and confidentiality limits are explained to people using the service. Privacy notice, consent or communication record.

5. Retention, disposal and continuity

Check Evidence to review Status Action owner Due date
Retention schedule covers care, clinical, staff, governance and financial records. Retention schedule.
Archived records are retrievable by authorised people. Archive index, retrieval test.
Disposal is authorised, secure and evidenced. Disposal certificate, destruction log.
Mobile, remote and portable records are controlled. Remote-working record, device policy.
System downtime arrangements protect continuity of care. Downtime plan, test record.
Supplier or processor arrangements cover confidentiality and data protection duties. Contract, data protection schedule.

6. Audit, breach and governance

Check Evidence to review Status Action owner Due date
Record-keeping and access audits run at a stated cadence. Completed audit, access review.
Breaches and near misses are reported, contained and investigated. Breach log, incident record.
ICO, CQC, commissioner or person-notification decisions are recorded where relevant. Breach decision note.
Audit findings create actions with owners, due dates and completion evidence. Action log, improvement actions.
Repeated record or confidentiality gaps are reviewed as workforce or governance themes. Governance minutes, supervision themes.
Learning links to training, supervision, risk management and business continuity. Training update, risk register, continuity action.

7. Summary judgement

Question Answer
Which record type has the weakest evidence trail?
Which access, sharing or confidentiality control has the highest current risk?
Which late entry, correction or missing record needs review?
Which breach, near miss or audit action is overdue?
What would a CQC inspector see if they asked for records evidence today?

8. Action log

Action Source check Owner Due date Completion evidence

9. Completion

Sign-off Name Date
Completed by
Reviewed by Registered Manager

This checklist is a working tool. It does not replace live regulator guidance, legal advice, data protection advice, professional standards, safeguarding advice, clinical judgement or sector-specific record retention requirements.

Related reading

This checklist is a starting point and a guide to what inspectors look for. It is not a complete or deployable procedure, and it is not legal advice. Working through it does not guarantee a rating or compliance. Check all regulatory references and timescales against current primary sources and adapt it to your own service.

Want help adapting this to your service?

A Verivius consultant (an ex-CQC inspector) can work through this with you against the live regulation and your service shape. The work fits inside a Mock Inspection engagement or a shorter consulting brief. A 20-minute conversation is the fastest way to find out whether the fit is right.

Get started free

Free to start, no card. A 14-day trial when you subscribe.